Merge pull request #25 from mimuret/feature/fast_rmatch

change rmatch method

Author: mimuret

.travis.yml

@@ -1,12 +1,13 @@
 language: c
+sudo: required
 before_install:
   - sudo apt-get -qq update
   - sudo apt-get install -y bind9 
 install: sudo ./install-dependencies.sh --debug
 compiler: gcc
 script:
   - ./autogen.sh
-  - ./configure --libdir=/lib
+  - ./configure --disable-check-ipv6
   - make
   - sudo make install
   - sudo make check

configure.ac

@@ -3,7 +3,7 @@
 
 AC_PREREQ([2.63])
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[1])
+m4_define([VERSION_MINOR],[2])
 m4_define([VERSION_MICRO],[0])
 AC_INIT(iptables-ext-dns,m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), [email protected], iptables-ext-dns)
 AC_SUBST(VERSION_INFO, [VERSION_MAJOR:VERSION_MINOR:VERSION_MICRO])
@@ -31,9 +31,8 @@ AC_HEADER_STDBOOL
 # Checks for library functions.
 AC_CHECK_FUNCS([strcasecmp strdup])
 
-AC_CONFIG_FILES([Makefile extensions/Makefile test/Makefile])
 
-AC_ARG_ENABLE(debug, [ --enable-debug trun on debugging [default no]],,enable_debug=no)
+AC_ARG_ENABLE(debug, [  --enable-debug trun on debugging [default no]],,enable_debug=no)
 AC_MSG_CHECKING(whether to enable debuging)
 if test x$enable_debug = xyes; then
    AC_MSG_RESULT(yes)
@@ -43,7 +42,20 @@ if test x$enable_debug = xyes; then
 else
    AC_MSG_RESULT(no)
 fi
+
+AC_ARG_ENABLE(check-ipv6, [  --enable-check-ipv6 trun on ipv6 check [default yes]],,enable_v6check=yes)
+AC_MSG_CHECKING(whether to enable check-ipv6)
+if test x$enable_v6check = xyes; then
+   AC_MSG_RESULT(yes)
+   AC_SUBST(RUN_TESTS, ["common ipv4 ipv6"])
+else
+   AC_MSG_RESULT(no)
+   AC_SUBST(RUN_TESTS, ["common ipv4"])
+fi
+
 AC_CHECK_FILE([/etc/redhat-release],[AC_SUBST(libdir,[/lib64])],[])
 AC_CHECK_FILE([/etc/debian_version],[AC_SUBST(libdir,[/lib])],[])
+
+AC_CONFIG_FILES([Makefile extensions/Makefile test/Makefile test/common/Makefile test/ipv4/Makefile test/ipv6/Makefile iptables-ext-dns.spec])
 LT_INIT
 AC_OUTPUT

extensions/libxt_dns.c

@@ -86,6 +86,7 @@ static void dns_init(struct xt_entry_match *m) {
     data->rcode = 0x00;
 
     data->qname[0] = 0;
+    data->qname_size = 1;
     data->qtype = 0xffff;
 
     data->invflags = 0x0000;
@@ -126,6 +127,15 @@ static void parse_qname(const char *flag, uint8_t *qname) {
         xtables_error(PARAMETER_PROBLEM, "Invalid qname %s '%s'", flag, qname);
     }
 }
+static int qname_size(const uint8_t *qname) {
+    uint8_t len = 0;
+    uint8_t llen = 255;
+    while (llen != 0 && len < XT_DNS_MAXSIZE) {
+        llen = *(qname + len);
+        len += llen + 1;
+    }
+    return len;
+}
 
 static int dns_parse(int c, char **argv, int invert, unsigned int *flags,
                      const void *entry, struct xt_entry_match **match) {
@@ -229,6 +239,7 @@ static int dns_parse(int c, char **argv, int invert, unsigned int *flags,
             xtables_error(PARAMETER_PROBLEM, "Only one `--qname' allowed");
         }
         parse_qname(optarg, data->qname);
+        data->qname_size = qname_size(data->qname);
         data->setflags |= XT_DNS_FLAG_QNAME;
         if (invert) {
             data->invflags |= XT_DNS_FLAG_QNAME;

include/xt_dns.h

@@ -23,6 +23,8 @@ struct xt_dns {
 
     uint16_t invflags; /* Inverse Flags */
     uint16_t setflags; /* Set Confitional flag */
+
+    uint8_t qname_size;
 };
 
 #define XT_DNS_FLAG_QR 0x0001

modules/xt_dns.c

@@ -37,15 +37,15 @@ MODULE_ALIAS("ip6t_dns");
 #define XT_PARAM const struct xt_match_param
 #define HOTDROP(par) *par->hotdrop = true
 #endif
-
 static bool dns_mt(const struct sk_buff *skb, XT_PARAM *par, int16_t offset) {
     const struct dns_h *dh; // dns header working pointer
     struct dns_h _dnsh;     // dns header buffer
 
     uint16_t qlen; // qname length, MAX 255
-    uint16_t mlen; // match qname length, MAX 255
     uint8_t llen;  // label length, MAX 63
 
+    int q, m; // tmp var
+
     uint8_t *qname;                 // qname working pointer
     uint8_t _qname[XT_DNS_MAXSIZE]; // qname buffer
     uint16_t qtype;                 // qtype buffer
@@ -106,18 +106,18 @@ static bool dns_mt(const struct sk_buff *skb, XT_PARAM *par, int16_t offset) {
         DEBUG_PRINT("not match RCODE");
         return false;
     }
-    DEBUG_PRINT("xt_dns: bit check done");
+    DEBUG_PRINT("xt_dns: done checking bits.");
     if ((dnsinfo->setflags & XT_DNS_FLAG_QNAME) ||
         (dnsinfo->maxsize < XT_DNS_FLAG_QNAME_MAXSIZE)) {
-        DEBUG_PRINT("xt_dns: start parse qname");
+        DEBUG_PRINT("xt_dns: start parse qname.");
         qname = _qname;
         qlen = 0;
         llen = 255;
         while (llen != 0 && qlen < XT_DNS_MAXSIZE) {
             // read label size
             if (skb_copy_bits(skb, offset, &llen, sizeof(uint8_t)) < 0 ||
                 llen > XT_DNS_LABEL_MAXSIZE) {
-                DEBUG_PRINT("xt_dns: invalid label len.");
+                DEBUG_PRINT("xt_dns: invalid label len %u->%x.", offset, llen);
                 HOTDROP(par);
                 return false;
             }
@@ -148,19 +148,17 @@ static bool dns_mt(const struct sk_buff *skb, XT_PARAM *par, int16_t offset) {
             return false;
         }
         if (dnsinfo->setflags & XT_DNS_FLAG_QNAME) {
-            qlen = mlen = 0;
-            DEBUG_PRINT("start qname matching.");
-            while (qlen < XT_DNS_MAXSIZE && qname[qlen] != 0 &&
-                   dnsinfo->qname[mlen] != 0) {
-                if (tolower(qname[qlen++]) != dnsinfo->qname[mlen++]) {
-                    if (dnsinfo->rmatch) {
-                        mlen = 0;
-                    } else {
-                        break;
-                    }
+            q = qlen - 1;
+            m = dnsinfo->qname_size - 1;
+            DEBUG_PRINT("start qname matching. q=%d,m=%d", q, m);
+            while (q >= 0 && m >= 0) {
+                DEBUG_PRINT("qm: qname[%d]=%d match[%d] = %d", q, qname[q], m,
+                            dnsinfo->qname[m]);
+                if (tolower(qname[q--]) != dnsinfo->qname[m--]) {
+                    break;
                 }
             }
-            if (!FWINVDNS((qname[qlen] == 0 && dnsinfo->qname[mlen] == 0),
+            if (!FWINVDNS((m < 0 && (q < 0 || dnsinfo->rmatch)),
                           XT_DNS_FLAG_QNAME)) {
                 DEBUG_PRINT("not match qname");
                 return false;

test/3.1.1_check_ipv4_udp_input.sh

@@ -1,18 +1 @@
-TESTS=1_module_load.sh \
-2_rule_create.sh \
-3.1.1_check_ipv4_udp_input.sh \
-3.1.2_check_ipv4_udp_prerouting.sh \
-3.2.1_check_ipv4_tcp_input.sh \
-3.2.2_check_ipv4_tcp_prerouting.sh \
-3.3.1_check_ipv6_udp_input.sh \
-3.3.2_check_ipv6_udp_prerouting.sh \
-3.4.1_check_ipv6_tcp_input.sh \
-3.4.2_check_ipv6_tcp_prerouting.sh \
-4.1.1_check_no_ipv4_udp_input.sh \
-4.1.2_check_no_ipv4_udp_prerouting.sh \
-4.2.1_check_no_ipv4_tcp_input.sh \
-4.2.2_check_no_ipv4_tcp_prerouting.sh \
-4.3.1_check_no_ipv6_udp_input.sh \
-4.3.2_check_no_ipv6_udp_mangle.sh \
-4.4.1_check_no_ipv6_tcp_input.sh \
-4.4.2_check_no_ipv6_tcp_prerouting.sh 
+SUBDIRS = @RUN_TESTS@

test/3.1.2_check_ipv4_udp_prerouting.sh

@@ -5,7 +5,7 @@ function ipt() {
   table=$2
   chain=$3
   act=$4
-  ./test-ipt.sh $cmd $table $chain $act
+  ../util/test-ipt.sh $cmd $table $chain $act
 }
 function begin() {
   cmd=$1

test/3.2.1_check_ipv4_tcp_input.sh

@@ -0,0 +1,2 @@
+TESTS=1_module_load.sh \
+2_rule_create.sh

test/3.2.2_check_ipv4_tcp_prerouting.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh iptables udp filter

test/3.3.1_check_ipv6_udp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh iptables udp mangle

test/3.3.2_check_ipv6_udp_prerouting.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh iptables tcp filter

test/3.4.1_check_ipv6_tcp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh iptables tcp mangle

test/3.4.2_check_ipv6_tcp_prerouting.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_nomatch.sh iptables udp filter

test/4.1.1_check_no_ipv4_udp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_nomatch.sh iptables udp mangle

test/4.1.2_check_no_ipv4_udp_prerouting.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_nomatch.sh iptables tcp filter

test/4.2.1_check_no_ipv4_tcp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_nomatch.sh iptables tcp mangle

test/4.2.2_check_no_ipv4_tcp_prerouting.sh

@@ -0,0 +1,8 @@
+TESTS = 3.1.1_check_ipv4_udp_input.sh \
+3.1.2_check_ipv4_udp_prerouting.sh \
+3.2.1_check_ipv4_tcp_input.sh \
+3.2.2_check_ipv4_tcp_prerouting.sh \
+4.1.1_check_no_ipv4_udp_input.sh \
+4.1.2_check_no_ipv4_udp_prerouting.sh \
+4.2.1_check_no_ipv4_tcp_input.sh \
+4.2.2_check_no_ipv4_tcp_prerouting.sh 

test/4.3.1_check_no_ipv6_udp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh ip6tables udp filter

test/4.3.2_check_no_ipv6_udp_mangle.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh ip6tables udp mangle

test/4.4.1_check_no_ipv6_tcp_input.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh ip6tables tcp filter

test/4.4.2_check_no_ipv6_tcp_prerouting.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../util/query_match.sh ip6tables tcp mangle

test/Makefile.am

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../query_nomatch.sh ip6tables udp filter

test/1_module_load.sh test/common/1_module_load.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../query_nomatch.sh ip6tables udp mangle

test/2_rule_create.sh test/common/2_rule_create.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../query_nomatch.sh ip6tables tcp filter

test/common/Makefile.am

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+../query_nomatch.sh ip6tables tcp mangle

test/ipv4/3.1.1_check_ipv4_udp_input.sh

@@ -0,0 +1,9 @@
+TESTS=3.3.1_check_ipv6_udp_input.sh \
+3.3.2_check_ipv6_udp_prerouting.sh \
+3.4.1_check_ipv6_tcp_input.sh \
+3.4.2_check_ipv6_tcp_prerouting.sh \
+4.3.1_check_no_ipv6_udp_input.sh \
+4.3.2_check_no_ipv6_udp_mangle.sh \
+4.4.1_check_no_ipv6_tcp_input.sh \
+4.4.2_check_no_ipv6_tcp_prerouting.sh 
+

test/ipv4/3.1.2_check_ipv4_udp_prerouting.sh

@@ -4,7 +4,7 @@ IPT=$1
 PROTOCOL=$2
 TABLE=$3
 
-. query_match_common.sh
+. ../util/query_match_common.sh
 
 if [ "$TABLE" = "filter" ] ; then
   TARGET_CHAIN="INPUT"
@@ -15,10 +15,11 @@ fi
 
 function match_check() {
   val=$1
+  echo $val
   if [ "$val" != "0" ] ; then
-    return 1
+    return 0
   fi
-  return 0
+  return 1
 }
 
 function main() {